back to article Password reuse bot steals creds from weak sites, logs in to banks

The perils of password re-use have been laid bare with the discovery of a botnet dedicated to finding account credentials on websites and testing the logins it finds on banks. The work is clever since it avoids tripping botnet detection and brute force rate limiters in place at most security-savvy banks, but absent across the …

  1. Anonymous Coward
    Anonymous Coward

    When does a website specifically tell a user not to re-use the password when creating an account or updating a password?

    I can't think of any unless I just didn't bother reading it.

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      When does a website specifically tell a user not to re-use the password when creating an account or updating a password?

      You do have a point, actually, because usually the account creation form is baked into the system and not easy to change. I must do some digging in WP and Joomla to see what I can do there - at present I don't run sites where others can log in and all of then run SSL and two-factor, but it is on the cards in the next few months so I might as well start looking into this.

      Actually, not for WP - I'm not even sure we'll continue with that platform. We have it running on FreeBSD and changed the admin URL which seems to confuse the heck out of script kiddies, but I have already seen the "long, slow burn" variety of probes from test sites we didn't publish - you can see in the 404 log the idiots hitting a server 50 or so times in a second with the same query (which is the very definition of insanity), but intermingled with that is steady automated plodding through known vulnerabilities at about 1 a minute or less - only when you sort the server logs do you see just much they have been trying.

      The good news is that that creates some certainty around an IP address not being up to much good, so I'll have to cook up a way to auto-blacklist those, maybe even permanently. Maybe we'll just keep a couple of WP sites around to act as early warning system :).

    3. Muscleguy Silver badge

      Fruity

      Apple do it. Very annoying when yet again the password I know I saved no longer works and I have to vary it during the password reset.

  2. Anonymous Coward
    Anonymous Coward

    If you use Online Banking you get what you deserve

    TFTFY.

    1. Anonymous Coward
      Anonymous Coward

      Re: If you use Online Banking you get what you deserve

      Being almost totally disabled, to get to the bank requires that I set aside five hours in addition to the actual transaction time due to the way HandyRide operates. Given that, the only time I actually suffer the waits involved is on payday. Online banking is rather nice.

      Sadly, my least secure password is due to stupid length and character requirements of my bank. I do keep a very close eye on those accounts. Oh, and no, changing banks is not an option.

    2. Alister Silver badge

      Re: If you use Online Banking you get what you deserve

      Actually, my online banking login requires knowledge of a numeric banking ID, a passphrase, and a uniquely generated passcode using a hardware dongle, so username + password from another site isn't going to get anyone very far.

      1. Valeyard

        Re: If you use Online Banking you get what you deserve

        both my banks have that too. I'm just wondering what frigging bank needs only a username and password?!

        and it's not likely to be an email address for username so what use is a password anyway?

        1. Cuddles Silver badge

          Re: If you use Online Banking you get what you deserve

          "I'm just wondering what frigging bank needs only a username and password?!"

          Santander and Co-op, to name the two that I know of. Santander actually needs two passwords (a 5 digit PIN and an actual password), but I really hope they don't think that's what two factor authentication means. Co-op needs password and the answer to one of 5 or so "secret" questions. They also both give you a username rather than allowing you to choose one (Santander is a string of numbers, Co-op users your account details). So it's not quite as bad as it sounds since although they both just have username/password combinations with no two factor security, neither should be vulnerable to credentials scraped from other sites.

          Edit: Also worth noting that both do use two factor authentication for setting up new transactions, so even if someone manages to get in and see my accounts, the worst they'd be able to do would be give money to someone I've paid before, they wouldn't be able to steal it for themselves.

        2. Anonymous Coward
          Anonymous Coward

          Re: If you use Online Banking you get what you deserve

          Capital One online credit card servicing requires just your username and 3 randomly-selected characters from your password, not the whole password. Which means if an intruder uses something like a "top-100 most common passwords" list he can eliminate multiples from the list for every 3-character guess he tries. I'm not sure they could make it any easier to brute force. Oh yes, if you tick the "remember me" box your username gets stored plaintext in a cookie.

          1. Michael H.F. Wilkinson Silver badge

            Re: If you use Online Banking you get what you deserve

            If my bank used username/password authentication I would take my money elsewhere. I d reuse passwords, but only on sites that are not important

            Like the Reg

      2. Keith Oborn

        Re: If you use Online Banking you get what you deserve

        Indeed. After the LinkedIn thing the other day I've been reviewing and changing passwords, and I must admit I have *never* found an online finance application of any sort that doesn't require "three factor" authentication, with one of the three being either "enter 3 randomly selected characters from factor 3" or "enter the one time code on the (RSA) dongle".

        Telco billing sites (BT, Vodafone) now seem to use SMS verification codes, and Lloyds does this for verification of transfers, so for that specific, and most dangerous, online banking action they are effectively requiring four factors, one of which is possession of the relevant mobile SIM.

        So on that basis I reckoned that my bank sites were the least likely to get hacked by password guessing.

        Of course, because El Reg only uses username/password, you have no way of knowing this is me ;-)

  3. Michael Habel

    Ok lets assume someone could get into my account. What good could they do with it, when they still need the physical Chip & Pin Card + an external Card Reader to generate the correct (RNG) TAN, which will be needed to complete any transaction.

    Its also down to the same limitation, as to why I haven't done any On-Line Baking in yonks, since I obviously, never invested the +60€ needed into such a Device.

    1. The Boojum

      Ok lets assume someone could get into my account. What good could they do with it,

      Well, they could pay off my overdraft, but that's about it. Anything else requires an effectively positive balance.

    2. Dale 3

      What good could they do with it

      Ok lets assume someone could get into my account. What good could they do with it

      Jeremy Clarkson had a similar thought when he published his bank account number and sort code in his newspaper column. Some joker quickly signed him up for a direct debit to a charity. Just because you can't think of something another person might do, doesn't mean they can't either. There's a lot more information than just account numbers available to someone who can get into your account.

      1. VBF

        Re: What good could they do with it

        Trouble with that is, your account number and sort code are sort of "out there" anyway. Any organisation with whom you've ever signed a Direct Debit, or anyone whom you've ever sent a cheque has those details.

        The thing with DDs is the Direct Debit Guarantee https://www.directdebit.co.uk/DirectDebitExplained/pages/directdebitguarantee.aspx should, in theory opffer some protection. That assumes that you check your account details regularly!

      2. johnaaronrose

        Re: What good could they do with it

        How did the joker obtain his password/passcode ?

  4. el_oscuro

    Obligatory XKCD

    So this guy is writing bots now?

  5. Anonymous Coward
    Anonymous Coward

    Remediation and mitigation

    It is now time to do that chore you have been putting off for so long:

    1) List all the websites and accounts you use which require a password

    2) Assess their risk to your general wellbeing, if compromised

    3) Assess the probability of their being compromised (seems to be rising)

    4) Start changing all your passwords to new, unique passwords (starting with the high risk, high probability accounts)

    5) Lather, rinse, repeat. You might even unsubscribe from a few dodgy sites along the way.

    And surf wisely, grasshopper. Always remember that security is a journey, not a destination

    1. Anonymous Coward
      Anonymous Coward

      Re: It is now time to do that chore you have been putting off for so long:

      For some of us.

      For others (raises hand) we practically invented hacking, and so are preternaturally aware of the basic risks (which are the same as always).

      If you have a friend who always uses the "wrong" password when logging in or using an ATM, that's what they are doing .....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019